Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

BACKDOOR GRAYBIRD


  • Please log in to reply

#1
dbaorc

dbaorc

    Member

  • Member
  • PipPip
  • 13 posts
Hi,

I found BACKDOOR.GRAYBIRD on two out of three of my XP machines this morning. Machine THREE is a new Windows XP media center machine with McAfee. Machine THREE did NOT seem to have it, or at least McAfee did not detect it(scanning now). They are all served by the same router in my cellar. My first question is 'How did this happen?' Was it because someone hacked into all of the machines? Did someone open up an email with an attachment and it spread the Trojan? Norton detects it on Machine ONE and TWO, but can only delete from machine ONE(my work machine with a corporate license of NORTON). Machine TWO gets an alert from NORTON but isn't able to do any thing with it. Both infected machines do not have the file in Windows Explorer after the startup. Machine ONE detects it in Windows/Temp/mc##.exe, and MACHINE TWO detects it in C:\Documents ~1/Owner/L...\mc22.tmp. I have followed everything step through and including STEP 4. I will provide ewido, and hijack log for each machine:

MACINE ONE

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:01:03 PM, 9/16/2005
+ Report-Checksum: 33C703C5

+ Scan result:

No infected objects found.


::Report End

MACHINE ONE (Hijack LOG)
Logfile of HijackThis v1.99.1
Scan saved at 2:49:27 PM, on 9/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\marimba\castanet tuner\tuner.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\marimba\castanet tuner\lib\jre\bin\java.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_08\bin\javaw.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eweb.verizon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eweb.verizon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Marimba User Login.LNK = C:\WINDOWS\system32\wscript.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/
O16 - DPF: JavaConnect - file://C:\TEMP\SISD\JavaConnect.cab
O16 - DPF: Sametime Directory Applet ST31 - file://C:\TEMP\SISD\STDirectoryApplet.cab
O16 - DPF: ST BC ST31IF1 PMR-90722999000 - file://C:\TEMP\SISD\STBroadcastClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - file://C:\TEMP\SISD\STMeetingRoomClient.cab
O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - file://C:\TEMP\SISD\InstallSTConnAgent.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: marimba - Marimba, Inc. - C:\marimba\castanet tuner\tuner.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


MACHINE TWO
ewido report:
------------------

ewido security suite - Scan report

----------------------------------------
-----------------



+ Created on: 12:54:48 PM,
9/16/2005

+ Report-Checksum: 414F8179



+ Scan result:




HKU\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{00A6FAF1-072E-
44CF-8957-5838F569A31D} ->
Spyware.MyWebSearch : Cleaned with
backup


HKU\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{07B18EA1-A523-
4961-B6BB-170DE4475CCA} ->
Spyware.MyWebSearch : Cleaned with
backup


HKU\S-1-5-18\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{00A6FAF1-072E-
44CF-8957-5838F569A31D} ->
Spyware.MyWebSearch : Cleaned with
backup


HKU\S-1-5-18\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{07B18EA1-A523-
4961-B6BB-170DE4475CCA} ->
Spyware.MyWebSearch : Cleaned with
backup

C:\Documents and
Settings\Owner\Cookies\owner@2o7[2].txt
-> Spyware.Cookie.2o7 : Cleaned with
backup

C:\Documents and
Settings\Owner\Cookies\owner@ad.yieldman
ager[2].txt ->
Spyware.Cookie.Yieldmanager : Cleaned
with backup

C:\Documents and
Settings\Owner\Cookies\owner@adbrite[1].
txt -> Spyware.Cookie.Adbrite : Cleaned
with backup

C:\Documents and
Settings\Owner\Cookies\owner@ads.addynam
ix[1].txt -> Spyware.Cookie.Addynamix :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@ads.pointro
ll[1].txt -> Spyware.Cookie.Pointroll :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@as-us.falka
g[2].txt -> Spyware.Cookie.Falkag :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@bluestreak[
2].txt -> Spyware.Cookie.Bluestreak :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@casalemedia
[1].txt -> Spyware.Cookie.Casalemedia :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@centrport[2
].txt -> Spyware.Cookie.Centrport :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\
owner@citi.bridgetrack[1].txt ->
Spyware.Cookie.Bridgetrack : Cleaned
with backup

C:\Documents and
Settings\Owner\Cookies\owner@fastclick[2
].txt -> Spyware.Cookie.Fastclick :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@perf.overtu
re[1].txt -> Spyware.Cookie.Overture :
Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@questionmar
ket[1].txt ->
Spyware.Cookie.Questionmarket : Cleaned
with backup

C:\Documents and
Settings\Owner\Cookies\
owner@serving-sys[1].txt ->
Spyware.Cookie.Serving-sys : Cleaned
with backup

C:\Documents and
Settings\Owner\Cookies\owner@tribalfusio
n[1].txt -> Spyware.Cookie.Tribalfusion
: Cleaned with backup

C:\Documents and
Settings\Owner\Cookies\owner@z1.adserver
[1].txt -> Spyware.Cookie.Adserver :
Cleaned with backup

C:\Documents and
Settings\Owner\Local
Settings\Application
Data\Wildtangent\Cdacache\00\00\0F.dat/f
iles\wtvh.dll -> Spyware.WildTangent :
Cleaned with backup

C:\Documents and
Settings\Owner\Local
Settings\Application
Data\Wildtangent\Cdacache\00\00\21.dat/f
iles\wtvh.dll -> Spyware.WildTangent :
Cleaned with backup

C:\WINDOWS\system32\f3PSSavr.scr ->
Spyware.MyWebSearch : Cleaned with
backup





::Report End


MACHINE TWO (Hijack LOG)
Logfile of HijackThis v1.99.1
Scan saved at 3:05:27 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.h...=Q304&bd=pavili
on&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.h...&c=Q304&bd=pavi
lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie.redirect.h...&c=Q304&bd=pavi
lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/chsi.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.h...=Q304&bd=pavili
on&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.h...&c=Q304&bd=pavi
lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.h...&c=Q304&bd=pavi
lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie.redirect.h...&c=Q304&bd=pavi
lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.h...=Q304&bd=pavili
on&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} -
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} -
C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} -
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program
Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program
Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program
Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec
Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
/Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital
Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe"
-quiet
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program
Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program
Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol
toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... -
C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} -
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) -
http://www.uproar.co...pside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} -
http://www.miniclip....pGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...o.com/housecall
/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) -
http://www.shockwave...mjolauncher.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc.
- C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Any and all help and comments would be appreciated. I would really like to determine the root cause, but rid my machines of this Trojan.

Thanks
dbaorc

Edited by dbaorc, 16 September 2005 - 05:59 PM.

  • 0

Advertisements


#2
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
hello dboarc,

i'm reviewing your logs and will have an answer for you soon. in the mean time I need to get some more info.

first have you tried to manually delete these files that were found? and are they returning aftwards?

in reference to your question about how you got infected with them. It could be a number of ways.

a "drive-by" download, file attachment on a email (Note: this could even be a file attachment you were waiting for, and the sending computer was the infected without the users knowledge), or it "piggybacked" with a file you may have downloaded from a website. These are the most common ways for trojans to get installed on your system. Unfortunately there is no sure fire way of determining how you got it.
  • 0

#3
dbaorc

dbaorc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yes, On Machine One Norton says that it deleted it(mc28.exe) from C:\Windows\Temp, Machine TWO Norton says it's unable to delete it(mc22.tmp) C:\Document~\OWNER\L~\. I receive this everytime I reboot, so Yes it keeps returning.
Thanks for your quick response.
  • 0

#4
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste this entry. make sure that delete on reboot is selected, then click on the red circle with the white X.

for machine 0ne
C:\Documents ~1/Owner/L...\mc22.tmp

for machine two, if it is still returning.
C:\Windows/Temp/mc28.exe

Click 'Exit' when done.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.

after that is done, please do the following on both machines.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:

* Restart the computer in Safe Mode.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press the Enter key.


Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when they comes in.

Edited by Efwis, 17 September 2005 - 11:13 AM.

  • 0

#5
dbaorc

dbaorc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Efwis,

Sorry for the delay, but I have been away from these machines. It seems that when I start up both machines now I don't get that Norton message about the backdoor.graybird(last night and today). So, I didn't apply your last message to the two machines. I wonder if this is OK? On Machine One this morning ewido caught a not-a-virus.tool.psexec.123 on my C:\Windows\System32\PSexecsvc.exe, which I replied clean to, twice, as prompted. Is this a new backdoor, or the same one, and should I definately apply your last post to both Machines?

Thanks
dbaorc
  • 0

#6
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
please apply my last steps to your machines, This way we can make sure there is nothing left on either one that shouldn't be.
  • 0

#7
dbaorc

dbaorc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Efwis,

I was able to able your above fix to Machine TWO, and here is it's lof.txt from rkfiles:
C:\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


I am not able to get to MACHINE ONE, because it's my work machine and it will be tied up for awhile, but I'll do the same for it and post its' results later.

Thanks
dbaorc
  • 0

#8
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
well I can tell you the log from Machine two is clean, there is nothing there to worry about. I'm wondering with the way you described the problems, If the main issue is coming from machine ONE, will wait until I see the log from that one to let you know.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP